Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-41773
HistoryOct 05, 2021 - 12:00 a.m.

CVE-2021-41773

2021-10-0500:00:00
ubuntu.com
ubuntu.com
51

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%

A flaw was found in a change made to path normalization in Apache HTTP
Server 2.4.49. An attacker could use a path traversal attack to map URLs to
files outside the directories configured by Alias-like directives. If files
outside of these directories are not protected by the usual default
configuration “require all denied”, these requests can succeed. If CGI
scripts are also enabled for these aliased pathes, this could allow for
remote code execution. This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions. The fix in
Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%